diff options
| author | Rémy Coutable <remy@rymai.me> | 2016-12-09 18:48:20 +0100 | 
|---|---|---|
| committer | Rémy Coutable <remy@rymai.me> | 2016-12-12 13:50:31 +0100 | 
| commit | 2f45d3bcf0f28d4cd4124b4c9722edc1d3085201 (patch) | |
| tree | 4678734e87bd2d7e7c8819bf352908b74f8c14e1 /lib/api | |
| parent | 0f6964a38527e648551e981157d5489d4c301b76 (diff) | |
| download | gitlab-ce-2f45d3bcf0f28d4cd4124b4c9722edc1d3085201.tar.gz | |
API: Memoize the current_user so that the sudo can work properly
The issue was arising when `#current_user` was called a second time
after a user was impersonated: the `User#is_admin?` check would be
performed on it and it would fail.
Signed-off-by: Rémy Coutable <remy@rymai.me>
Diffstat (limited to 'lib/api')
| -rw-r--r-- | lib/api/helpers.rb | 131 | ||||
| -rw-r--r-- | lib/api/users.rb | 2 | 
2 files changed, 79 insertions, 54 deletions
| diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb index 8b0f8deadfa..2041f0dac6b 100644 --- a/lib/api/helpers.rb +++ b/lib/api/helpers.rb @@ -7,67 +7,23 @@ module API      SUDO_HEADER = "HTTP_SUDO"      SUDO_PARAM = :sudo -    def private_token -      params[PRIVATE_TOKEN_PARAM] || env[PRIVATE_TOKEN_HEADER] -    end - -    def warden -      env['warden'] -    end - -    # Check the Rails session for valid authentication details -    # -    # Until CSRF protection is added to the API, disallow this method for -    # state-changing endpoints -    def find_user_from_warden -      warden.try(:authenticate) if %w[GET HEAD].include?(env['REQUEST_METHOD']) -    end -      def declared_params(options = {})        options = { include_parent_namespaces: false }.merge(options)        declared(params, options).to_h.symbolize_keys      end -    def find_user_by_private_token -      token = private_token -      return nil unless token.present? - -      User.find_by_authentication_token(token) || User.find_by_personal_access_token(token) -    end -      def current_user -      @current_user ||= find_user_by_private_token -      @current_user ||= doorkeeper_guard -      @current_user ||= find_user_from_warden - -      unless @current_user && Gitlab::UserAccess.new(@current_user).allowed? -        return nil -      end - -      identifier = sudo_identifier +      return @current_user if defined?(@current_user) -      if identifier -        # We check for private_token because we cannot allow PAT to be used -        forbidden!('Must be admin to use sudo') unless @current_user.is_admin? -        forbidden!('Private token must be specified in order to use sudo') unless private_token_used? +      @current_user = initial_current_user -        @impersonator = @current_user -        @current_user = User.by_username_or_id(identifier) -        not_found!("No user id or username for: #{identifier}") if @current_user.nil? -      end +      sudo!        @current_user      end -    def sudo_identifier -      identifier ||= params[SUDO_PARAM] || env[SUDO_HEADER] - -      # Regex for integers -      if !!(identifier =~ /\A[0-9]+\z/) -        identifier.to_i -      else -        identifier -      end +    def sudo? +      initial_current_user != current_user      end      def user_project @@ -354,6 +310,79 @@ module API      private +    def private_token +      params[PRIVATE_TOKEN_PARAM] || env[PRIVATE_TOKEN_HEADER] +    end + +    def warden +      env['warden'] +    end + +    # Check the Rails session for valid authentication details +    # +    # Until CSRF protection is added to the API, disallow this method for +    # state-changing endpoints +    def find_user_from_warden +      warden.try(:authenticate) if %w[GET HEAD].include?(env['REQUEST_METHOD']) +    end + +    def find_user_by_private_token +      token = private_token +      return nil unless token.present? + +      User.find_by_authentication_token(token) || User.find_by_personal_access_token(token) +    end + +    def initial_current_user +      return @initial_current_user if defined?(@initial_current_user) + +      @initial_current_user ||= find_user_by_private_token +      @initial_current_user ||= doorkeeper_guard +      @initial_current_user ||= find_user_from_warden + +      unless @initial_current_user && Gitlab::UserAccess.new(@initial_current_user).allowed? +        @initial_current_user = nil +      end + +      @initial_current_user +    end + +    def sudo! +      return unless sudo_identifier +      return unless initial_current_user.is_a?(User) + +      unless initial_current_user.is_admin? +        forbidden!('Must be admin to use sudo') +      end + +      # Only private tokens should be used for the SUDO feature +      unless private_token == initial_current_user.private_token +        forbidden!('Private token must be specified in order to use sudo') +      end + +      sudoed_user = User.by_username_or_id(sudo_identifier) + +      if sudoed_user +        @current_user = sudoed_user +      else +        not_found!("No user id or username for: #{sudo_identifier}") +      end +    end + +    def sudo_identifier +      return @sudo_identifier if defined?(@sudo_identifier) + +      identifier ||= params[SUDO_PARAM] || env[SUDO_HEADER] + +      # Regex for integers +      @sudo_identifier = +        if !!(identifier =~ /\A[0-9]+\z/) +          identifier.to_i +        else +          identifier +        end +    end +      def add_pagination_headers(paginated_data)        header 'X-Total',       paginated_data.total_count.to_s        header 'X-Total-Pages', paginated_data.total_pages.to_s @@ -386,10 +415,6 @@ module API        links.join(', ')      end -    def private_token_used? -      private_token == @current_user.private_token -    end -      def secret_token        Gitlab::Shell.secret_token      end diff --git a/lib/api/users.rb b/lib/api/users.rb index 1dab799dd61..c7db2d71017 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -353,7 +353,7 @@ module API          success Entities::UserPublic        end        get do -        present current_user, with: @impersonator ? Entities::UserWithPrivateToken : Entities::UserPublic +        present current_user, with: sudo? ? Entities::UserWithPrivateToken : Entities::UserPublic        end        desc "Get the currently authenticated user's SSH keys" do | 
